diff options
Diffstat (limited to 'sshd.0')
-rw-r--r-- | sshd.0 | 73 |
1 files changed, 47 insertions, 26 deletions
@@ -38,9 +38,9 @@ DESCRIPTION | |||
38 | tion algorithm to use from those offered by the server. | 38 | tion algorithm to use from those offered by the server. |
39 | 39 | ||
40 | Next, the server and the client enter an authentication dialog. The | 40 | Next, the server and the client enter an authentication dialog. The |
41 | client tries to authenticate itself using .rhosts authentication, .rhosts | 41 | client tries to authenticate itself using .rhosts authentication combined |
42 | authentication combined with RSA host authentication, RSA challenge-re- | 42 | with RSA host authentication, RSA challenge-response authentication, or |
43 | sponse authentication, or password based authentication. | 43 | password based authentication. |
44 | 44 | ||
45 | Regardless of the authentication type, the account is checked to ensure | 45 | Regardless of the authentication type, the account is checked to ensure |
46 | that it is accessible. An account is not accessible if it is locked, | 46 | that it is accessible. An account is not accessible if it is locked, |
@@ -53,10 +53,8 @@ DESCRIPTION | |||
53 | field should be set to something other than these values (eg `NP' or | 53 | field should be set to something other than these values (eg `NP' or |
54 | `*NP*' ). | 54 | `*NP*' ). |
55 | 55 | ||
56 | rhosts authentication is normally disabled because it is fundamentally | 56 | rshd, rlogind, and rexecd are disabled (thus completely disabling rlogin |
57 | insecure, but can be enabled in the server configuration file if desired. | 57 | and rsh into the machine). |
58 | System security is not improved unless rshd, rlogind, and rexecd are dis- | ||
59 | abled (thus completely disabling rlogin and rsh into the machine). | ||
60 | 58 | ||
61 | SSH protocol version 2 | 59 | SSH protocol version 2 |
62 | Version 2 works similarly: Each host has a host-specific key (RSA or DSA) | 60 | Version 2 works similarly: Each host has a host-specific key (RSA or DSA) |
@@ -246,9 +244,10 @@ AUTHORIZED_KEYS FILE FORMAT | |||
246 | or ``ssh-rsa''. | 244 | or ``ssh-rsa''. |
247 | 245 | ||
248 | Note that lines in this file are usually several hundred bytes long (be- | 246 | Note that lines in this file are usually several hundred bytes long (be- |
249 | cause of the size of the public key encoding). You don't want to type | 247 | cause of the size of the public key encoding) up to a limit of 8 kilo- |
250 | them in; instead, copy the identity.pub, id_dsa.pub or the id_rsa.pub | 248 | bytes, which permits DSA keys up to 8 kilobits and RSA keys up to 16 |
251 | file and edit it. | 249 | kilobits. You don't want to type them in; instead, copy the |
250 | identity.pub, id_dsa.pub or the id_rsa.pub file and edit it. | ||
252 | 251 | ||
253 | sshd enforces a minimum RSA key modulus size for protocol 1 and protocol | 252 | sshd enforces a minimum RSA key modulus size for protocol 1 and protocol |
254 | 2 keys of 768 bits. | 253 | 2 keys of 768 bits. |
@@ -346,6 +345,12 @@ SSH_KNOWN_HOSTS FILE FORMAT | |||
346 | cate negation: if the host name matches a negated pattern, it is not ac- | 345 | cate negation: if the host name matches a negated pattern, it is not ac- |
347 | cepted (by that line) even if it matched another pattern on the line. | 346 | cepted (by that line) even if it matched another pattern on the line. |
348 | 347 | ||
348 | Alternately, hostnames may be stored in a hashed form which hides host | ||
349 | names and addresses should the file's contents be disclosed. Hashed | ||
350 | hostnames start with a `|' character. Only one hashed hostname may ap- | ||
351 | pear on a single line and none of the above negation or wildcard opera- | ||
352 | tors may be applied. | ||
353 | |||
349 | Bits, exponent, and modulus are taken directly from the RSA host key; | 354 | Bits, exponent, and modulus are taken directly from the RSA host key; |
350 | they can be obtained, e.g., from /etc/ssh/ssh_host_key.pub. The optional | 355 | they can be obtained, e.g., from /etc/ssh/ssh_host_key.pub. The optional |
351 | comment field continues to the end of the line, and is not used. | 356 | comment field continues to the end of the line, and is not used. |
@@ -370,6 +375,10 @@ SSH_KNOWN_HOSTS FILE FORMAT | |||
370 | closenet,...,130.233.208.41 1024 37 159...93 closenet.hut.fi | 375 | closenet,...,130.233.208.41 1024 37 159...93 closenet.hut.fi |
371 | cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....= | 376 | cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....= |
372 | 377 | ||
378 | # A hashed hostname | ||
379 | |1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa | ||
380 | AAAA1234.....= | ||
381 | |||
373 | FILES | 382 | FILES |
374 | /etc/ssh/sshd_config | 383 | /etc/ssh/sshd_config |
375 | Contains configuration data for sshd. The file format and con- | 384 | Contains configuration data for sshd. The file format and con- |
@@ -428,6 +437,15 @@ FILES | |||
428 | /etc/ssh/ssh_known_hosts should be world-readable, and | 437 | /etc/ssh/ssh_known_hosts should be world-readable, and |
429 | $HOME/.ssh/known_hosts can, but need not be, world-readable. | 438 | $HOME/.ssh/known_hosts can, but need not be, world-readable. |
430 | 439 | ||
440 | /etc/motd | ||
441 | See motd(5). | ||
442 | |||
443 | $HOME/.hushlogin | ||
444 | This file is used to suppress printing the last login time and | ||
445 | /etc/motd, if PrintLastLog and PrintMotd, respectively, are en- | ||
446 | abled. It does not suppress printing of the banner specified by | ||
447 | Banner. | ||
448 | |||
431 | /etc/nologin | 449 | /etc/nologin |
432 | If this file exists, sshd refuses to let anyone except root log | 450 | If this file exists, sshd refuses to let anyone except root log |
433 | in. The contents of the file are displayed to anyone trying to | 451 | in. The contents of the file are displayed to anyone trying to |
@@ -439,11 +457,13 @@ FILES | |||
439 | fined here. Further details are described in hosts_access(5). | 457 | fined here. Further details are described in hosts_access(5). |
440 | 458 | ||
441 | $HOME/.rhosts | 459 | $HOME/.rhosts |
442 | This file contains host-username pairs, separated by a space, one | 460 | This file is used during RhostsRSAAuthentication and |
443 | per line. The given user on the corresponding host is permitted | 461 | HostbasedAuthentication and contains host-username pairs, sepa- |
444 | to log in without a password. The same file is used by rlogind | 462 | rated by a space, one per line. The given user on the corre- |
445 | and rshd. The file must be writable only by the user; it is rec- | 463 | sponding host is permitted to log in without a password. The |
446 | ommended that it not be accessible by others. | 464 | same file is used by rlogind and rshd. The file must be writable |
465 | only by the user; it is recommended that it not be accessible by | ||
466 | others. | ||
447 | 467 | ||
448 | It is also possible to use netgroups in the file. Either host or | 468 | It is also possible to use netgroups in the file. Either host or |
449 | user name may be of the form +@groupname to specify all hosts or | 469 | user name may be of the form +@groupname to specify all hosts or |
@@ -455,20 +475,21 @@ FILES | |||
455 | access using SSH only. | 475 | access using SSH only. |
456 | 476 | ||
457 | /etc/hosts.equiv | 477 | /etc/hosts.equiv |
458 | This file is used during rhosts authentication. In the simplest | 478 | This file is used during RhostsRSAAuthentication and |
459 | form, this file contains host names, one per line. Users on | 479 | HostbasedAuthentication authentication. In the simplest form, |
460 | those hosts are permitted to log in without a password, provided | 480 | this file contains host names, one per line. Users on those |
461 | they have the same user name on both machines. The host name may | 481 | hosts are permitted to log in without a password, provided they |
462 | also be followed by a user name; such users are permitted to log | 482 | have the same user name on both machines. The host name may also |
463 | in as any user on this machine (except root). Additionally, the | 483 | be followed by a user name; such users are permitted to log in as |
464 | syntax ``+@group'' can be used to specify netgroups. Negated en- | 484 | any user on this machine (except root). Additionally, the syntax |
465 | tries start with `-'. | 485 | ``+@group'' can be used to specify netgroups. Negated entries |
486 | start with `-'. | ||
466 | 487 | ||
467 | If the client host/user is successfully matched in this file, lo- | 488 | If the client host/user is successfully matched in this file, lo- |
468 | gin is automatically permitted provided the client and server us- | 489 | gin is automatically permitted provided the client and server us- |
469 | er names are the same. Additionally, successful RSA host authen- | 490 | er names are the same. Additionally, successful client host key |
470 | tication is normally required. This file must be writable only | 491 | authentication is required. This file must be writable only by |
471 | by root; it is recommended that it be world-readable. | 492 | root; it is recommended that it be world-readable. |
472 | 493 | ||
473 | Warning: It is almost never a good idea to use user names in | 494 | Warning: It is almost never a good idea to use user names in |
474 | hosts.equiv. Beware that it really means that the named user(s) | 495 | hosts.equiv. Beware that it really means that the named user(s) |